eaglegai [Thu, 28 Oct 2021 13:51:13 +0000 (21:51 +0800)]
fix undefined-shift in put_res_rec fuzz error: ../../source3/libsmb/nmblib.c:451:4: runtime error: left shift of 65312 by 16 places cannot be represented in type 'int'
Author: eaglegai <eaglegai@163.com>
Signed-off-by: eaglegai <eaglegai@163.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Oct 29 20:29:26 UTC 2021 on sn-devel-184
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Oct 29 14:57:14 UTC 2021 on sn-devel-184
Jeremy Allison [Mon, 25 Oct 2021 19:21:37 +0000 (12:21 -0700)]
s3: smbd: Fix rmdir_internals() to do an early return if lp_delete_veto_files() is not set.
Fix the comments to match what the code actually does. The
exit at the end of the scan directory loop if we find a client
visible filename is a change in behavior, but the previous
behavior (not exist on visible filename, but delete it) was
a bug and in non-tested code. Now it's testd.
editorconfig: Heimdal has mixed spaces and tabs with different width
Signed-off-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Oct 29 10:16:15 UTC 2021 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct 28 19:03:04 UTC 2021 on sn-devel-184
Ralph Boehme [Thu, 28 Oct 2021 08:18:17 +0000 (10:18 +0200)]
lib: update null_nttime() of -1: -1 is NTTIME_FREEZE
NTTIME_FREEZE is not a nil sentinel value, instead it implies special, yet
unimplemented semantics. Callers must deal with those values specifically and
null_nttime() must not lie about their nature.
Signed-off-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Oct 28 13:23:34 UTC 2021 on sn-devel-184
Signed-off-by: David Mulder <dmulder@suse.com> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Tue Oct 26 16:00:28 UTC 2021 on sn-devel-184
David Mulder [Mon, 25 Oct 2021 14:49:35 +0000 (08:49 -0600)]
samba-tool: Pick local host if calling samba-tool from DC
It is reasonable to assume, that if we are running a command from a DC,
that a user expects that the command will run against this DC.
Signed-off-by: David Mulder <dmulder@suse.com> Reviewed-by: Rowland Penny <rpenny@samba.org>
Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Tue Oct 26 14:23:42 UTC 2021 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: David Mulder <dmulder@suse.com>
Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Mon Oct 25 15:04:18 UTC 2021 on sn-devel-184
Joseph Sutton [Thu, 21 Oct 2021 03:46:56 +0000 (16:46 +1300)]
tests/krb5: Check account name and SID in PAC for S4U tests
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Oct 25 09:23:35 UTC 2021 on sn-devel-184
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Oct 23 08:07:13 UTC 2021 on sn-devel-184
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 20 12:54:54 UTC 2021 on sn-devel-184
Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm
to not be added to the transit path of issued tickets. This may, in
some cases, enable bypass of capath policy in Heimdal versions 1.5
through 7.2.
Note, this may break sites that rely on the bug. With the bug some
incomplete [capaths] worked, that should not have. These may now break
authentication in some cross-realm configurations.
Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 20 10:58:37 UTC 2021 on sn-devel-184
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 20 09:22:43 UTC 2021 on sn-devel-184
netlogon_creds_cli: add netlogon_creds_cli_SendToSam_recv() and don't ignore result
This is a low level function that should not ignore results.
If the caller doesn't care it's his choice.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Oct 19 20:20:00 UTC 2021 on sn-devel-184
libcli/smb: use MID=0 for SMB2 Cancel with ASYNC_ID and legacy signing algorithms
We can only assume that servers with support for AES-GMAC-128 signing
will except an SMB2 Cancel with ASYNC_ID and real MID.
This strategy is also used by Windows clients, because
some vendors don't cope otherwise.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Oct 19 19:23:39 UTC 2021 on sn-devel-184
Signed-off-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Oct 19 09:14:10 UTC 2021 on sn-devel-184
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Oct 18 17:19:17 UTC 2021 on sn-devel-184
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Oct 17 23:40:33 UTC 2021 on sn-devel-184
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Oct 15 10:00:47 UTC 2021 on sn-devel-184
Andrew Bartlett [Thu, 14 Oct 2021 19:22:17 +0000 (08:22 +1300)]
gitlab-ci: Do not download artifacts of unrelated builds
This needs: is overridden in many cases, but ensures none of the other
main jobs start until this build finishes. However this also
ensures we do not download artifacts from any build unless we
specifically depend on it, saving bandwidth
Andrew Bartlett [Thu, 14 Oct 2021 07:24:49 +0000 (20:24 +1300)]
gitlab-ci: Do not retry for job_execution_timeout
If we timeout, we should just stop at 2 hours, not waste 6 hours (3 x 2 hours).
This is for when the job runs long for any reason, currently the
reasons for a timeout are not transient, we need to either change
the timeout or fix the system. Likewise if the tests get into a loop
or deadlock we want to see that as a failure.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 14 19:51:59 UTC 2021 on sn-devel-184
Luke Howard [Thu, 23 Sep 2021 07:51:51 +0000 (17:51 +1000)]
kdc: correctly generate PAC TGS signature
When generating an AS-REQ, the TGS signature was incorrectly generated using
the server key, which would fail to validate if the server was not also the
TGS. Fix this.
[jsutton@samba.org Backported from Heimdal commit e7863e2af922809dad25a2e948e98c408944d551
- Samba's Heimdal version does not have the generate_pac() helper
function.
- Samba's Heimdal version does not use the 'r' context variable.
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Luke Howard [Thu, 23 Sep 2021 04:39:35 +0000 (14:39 +1000)]
kdc: use ticket client name when signing PAC
The principal in the PAC_LOGON_NAME buffer is expected to match the client name
in the ticket. Previously we were setting this to the canonical client name,
which would have broken PAC validation if the client did not request name
canonicalization
[jsutton@samba.org Backported from Heimdal commit f1dd2b818aa0866960945edea02a6bc782ed697c
- Removed change to _kdc_find_etype() use_strongest_session_key
parameter since Samba's Heimdal version uses different logic
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Isaac Boukris [Fri, 13 Aug 2021 09:44:37 +0000 (12:44 +0300)]
kdc: sign ticket using Windows PAC
Split Windows PAC signing and verification logic, as the signing has to be when
the ticket is ready.
Create sign and verify the PAC KDC signature if the plugin did not, allowing
for S4U2Proxy to work, instead of KRB5SignedPath.
Use the header key to verify PAC server signature, as the same key used to
encrypt/decrypt the ticket should be used for PAC server signature, like U2U
tickets are signed witht the tgt session-key and not with the longterm key,
and so krbtgt should be no different and the header key should be used.
Lookup the delegated client in DB instead of passing the delegator DB entry.
Add PAC ticket-signatures and related functions.
Note: due to the change from KRB5SignedPath to PAC, S4U2Proxy requests
against new KDC will not work if the evidence ticket was acquired from
an old KDC, and vide versa.
Isaac Boukris [Mon, 28 Dec 2020 20:07:10 +0000 (22:07 +0200)]
kdc: remove KRB5SignedPath, to be replaced with PAC
KRB5SignedPath was a Heimdal-specific authorization data element used to
protect the authenticity of evidence tickets when used in constrained
delegation (without a Windows PAC).
Remove this, to be replaced with the Windows PAC which itself now supports
signing the entire ticket in the TGS key.
projects / thirdparty / samba.git / log
